Cassandra: First Impressions of the RUSI Report on Surveillance and Privacy in the UK

By Graham K. Rogers

Earlier today the long-awaited Royal United Services Institute (RUSI) report on surveillance and privacy in the UK was published. While the analysis appears thorough, and some of the recommendations sensible, there is a difference between what the theorists may suggest and governments, particularly those with pre-conceived ideas on what they need to do about online surveillance, will implement.

I read through the report quickly and below outline a few initial ideas that came from that brief examination. The report of 132 pages is written in a style that is readable, although there is much depth. Those interested will need to allow a number of hours (at least) to look more throughly at the content.

The following quote alone should concern readers about the competence of the report as it was only a few months ago that the Investigatory Powers Tribunal ruled that "electronic communications intercepted in bulk was unlawful until last year".

Despite the disclosures made by Edward Snowden, we have seen no evidence that the British government knowingly acts illegally in intercepting private communications, or that the ability to collect data in bulk is used by the government to provide it with a perpetual window into the private lives of British citizens.

To find a number of links to the information all I had to do was type in "British Court rules that GCHQ collected data illegally" as Google search terms. The top one was a link to the Owen Bowcott, item in the Guardian, "UK-US surveillance regime was unlawful 'for seven years'". Perhaps the use of the present tense in that paragraph assuages some, but there will be an awful lot who will have shifted in their seats uncomfortably on reading that.

The report does concede that a new legal framework is required, perhaps playing into the hands of PM Cameron and his Home Secretary who appear to be intent on collecting everyone's data with the facile, If you do nothing wrong, there is nothing to worry about" mantra; or if unable to collect, then stopping dead those systems or applications whose content they are unable to access because of encryption.

The report states that "such activities must be demonstrably lawful, necessary and proportionate" and this is easy to fix. Don't like something, change the law (or write a new one): trades union history might give some clue as to how changes of governments may alter fortunes. As to "proportionate" the threat of terrorism (or child pornography, or organised crime) are the bogies regularly wheeled out to justify government actions.

Just when the laws seem to have met sufficient opposition, there is always a tame policeman rolled out to tell the public about another secret operation that prevented a terrorist act. This of course may indeed be true, but the strident propaganda that accompanies such efforts implies to some that the terrorists are either stupid or working hand in glove to provide the authorities with the reasons they need.

Three areas are suggested to ensure the public is protected: warrants, oversight; and setting out the principles to Parliament:

The idea of a warrant as a form of protection is risible. There is enough flexibility built into the court systems that swearing a warrant in front of a judge is almost a guarantee that it would be granted. Would there also be a retroactive system as in the US FISA courts where blanket immunity can be granted after the event?

The recommendations of this report already include provisions for bulk interception warrants. With the final authority projected to be the Home Secretary ("secretary of state"), who is not known as a severe critic of the security services - at least not nowadays - the police, GCHQ and other services may be on a winner here. Even judicial review may end up as merely fine words, although the suggestion for an independent body is a ray of some hope.

The various inspectorates are manned from personnel recruited from within the services they are intended to screen and the multi-layer bureaucracies that have been established within the UK are no protection at all when there is already a culture of doing what is necessary. The chances of any outsider discovering if any such illegal acts are carried out suggests the levels of impunity are unlikely to be improved.

It is interesting that the report mentions the Protection of Freedoms Act 2012, which required the destruction of DNA samples and the removal of DNA profiles of certain people in specified circumstances, as it appears that some police forces have failed to comply with the requirements of that law and have retained samples collected (e.g. The Protection of Freedoms Act 2012, Data Protection Society).

The report's Ten Tests for the Intrusion of Privacy (see below) are laudable, but to an extant laughable for some of the reasons above. I believe that these may be great ideas, but they will never get off the ground while the current government is in power.

Where the report scores is in the examination and documentation of just how the age of digital computing has changed the country: commerce, communications, government. There is also a useful assessment of The Dark Web (TOR) and how that - initially developed by US Security, like the internet itself - is being abused. This difference may be insufficiently recognised by the current government who seem to want a catch-all (literally) system, so that there can be retroactive trawling of data.

There is also a fair look at encryption and its value, particularly for safe commerce online. Without such systems, transactions online would be unsafe and the amount of online crime would increase dramatically. The current PM apparently does not seem to realise that encryption is needed and that handing over the keys - by way of some special backdoor - would undermine the whole system.

Of particular interest here are the comments on GCHQ: GCHQ employees are aware they are the guardians of what is potentially a very intrusive set of capabilities to collect [My italics]. . . This follows two troubling passages: "Only by filtering large volumes of information do GCHQ staff believe they can identify, and analyse data on, a selected target"; and "Even if an individual's communications are never actually read . . . the fact that it could be read is regarded by some as placing control in the hands of the state."

A major problem with the UK and such matters - as well as in other countries - is that few are willing to debate the risks involved on both sides. With a World War and the Cold War as part of the living memory for many still alive, these problems were aired (Nazi Germany, Soviet Union) in the past but many deny the same methods are being applied in the 21st Century.

Even if the Report tones down the capabilities of the security services, it is clear that far more control on their operations and better independent supervision is an urgent necessity. I cynically believe that we may expect the current government to note the report and pass.

Ten Tests for the Intrusion of Privacy

Rule of law: All intrusion into privacy must be in accordance with law through processes that can be meaningfully assessed against clear and open legislation, and only for purposes laid down by law.

Necessity: All intrusion must be justified as necessary in relation to explicit tasks and missions assigned to government agencies in accordance with their duly democratic processes, and there should be no other practicable means of achieving the objective.

Proportionality: Intrusion must be judged as proportionate to the advantages gained, not just in cost or resource terms but also through a judgement that the degree of intrusion is matched by the seriousness of the harm to be prevented.

Restraint: It should never become routine for the state to intrude into the lives of its citizens. It must be reluctant to do so, restrained in the powers it chooses to use, and properly authorised when it deems it necessary to intrude.

Effective oversight: An effective regime must be in place. Effectiveness should be judged by the capabilities of the regime to supervise and investigate governmental intrusion, the power it has to bring officials and ministers to account, and the transparency it embodies so the public can be confident it is working properly. There should also be means independently to investigate complaints.

Recognition of necessary secrecy: The 'secret parts of the state' must be acknowledged as necessary to the functioning and protection of the open society. It cannot be more than minimally transparent, but it must be fully democratically accountable.

Minimal secrecy: The 'secret parts of the state' must draw and observe clear boundaries between that which must remain secret (such as intelligence sources or the identity of its employees) and all other aspects of its work which should be openly acknowledged. Necessary secrecy, however, must not be a justification for a wider culture of secrecy on security and intelligence matters.

Transparency: How the law applies to the citizen must be evident if the rule of law is to be upheld. Anything that does not need to be secret should be transparent to the public; not just comprehensible to dedicated specialists but clearly stated in ways that any interested citizen understands.

Legislative clarity: Relevant legislation is not likely to be simple but it must be clearly explained in Codes of Practice that have Parliamentary approval, are kept up-to-date and are accessible to citizens, the private sector, foreign governments and practitioners alike.

Multilateral collaboration: Government policy on intrusion should be capable of being harmonised with that of like-minded open and democratic governments.

See also:

Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand where he is also Assistant Dean. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs. He is now continuing that in the Bangkok Post supplement, Life.